---
id: secrets-managers
sidebar_label: Secrets Managers
title: Secrets Managers
description: Safeguard credentials your service uses to authenticate to external resources.
abstract: You can store your assistant's secrets in an external credentials manager.
    Rasa Pro currently supports credentials manager for the Tracker Store
---

<!-- this file is version specific, do not use `@site/...` syntax -->
import RasaProLabel from '@theme/RasaProLabel';
import RasaProBanner from '@theme/RasaProBanner';

<RasaProLabel />
<RasaProBanner/>

:::info Available in Rasa Pro from 3.5.0
:::


Rasa Pro supports the following secrets managers:
* [HashiCorp Vault](https://www.hashicorp.com/products/vault)


Currently, Rasa Pro supports safeguarding credentials for the following services:
- [Tracker Stores](./tracker-stores.mdx)


## HashiCorp Vault Secrets Manager

Use Vault Secrets Manager to store credentials used to authenticate access to external services.
The credentials are stored in a Vault instance and can be encrypted at rest.
To store credentials in a Vault instance, you can read the official Vault docs
[Storing secrets in Vault](https://developer.hashicorp.com/vault/tutorials/getting-started/getting-started-first-secret).

You can also encrypt credentials at rest with
[Vault Transit Engine](https://www.vaultproject.io/docs/secrets/transit).

:::note
Expiring tokens need to be renewed periodically, and the renewal process is done over the network,
Rasa Pro will try to renew the token 15 seconds before it expires.
If the token's time-to-live (TTL) is less than 15 seconds, we will try to renew it after 1 second,
but it might fail due to network latency.

Rasa Pro has a built-in retry mechanism for renewing the token.

If the token is not renewed successfully it will be considered expired
and Rasa Pro will not be able to access the secrets.
You will need to create a new renewable token and restart Rasa Pro with new token.
:::


### Authentication
Rasa Pro can authenticate to Vault through
[Token authentication](https://www.vaultproject.io/docs/auth/token).

Both `expiring` and `non-expiring` (so called, root tokens) tokens are supported.
Rasa Pro will automatically renew the token if it is expiring.


### How to configure access to Vault

Access to Vault secrets manager can be configured with environment variables
and through `endpoints.yml` configuration file.

Environment variables and `endpoints.yml` configuration file are merged together
and **the values from the environment variables take precedence**.

:::info New in 3.7
Vault namespaces can be used to isolate secrets. You can
configure a namespace with the `VAULT_NAMESPACE` environment variable or the `namespace` key in secrets_manager
section of the `endpoints.yml` file.
To learn more about namespaces,
check out the [Vault namespaces docs](https://developer.hashicorp.com/vault/docs/enterprise/namespaces).
:::


The following environment variables are available:

| Environment Variable          | Description                                                                                    | Default               |
|:------------------------------|:-----------------------------------------------------------------------------------------------|:----------------------|
| `SECRET_MANAGER`              | **Required**. The secrets manager to use. *Currently only "vault" is supported*                | `vault`               |
| `VAULT_HOST`                  | **Required**. The address of the vault server                                                  |                       |
| `VAULT_TOKEN`                 | **Required**. token to authenticate to the vault server                                        |                       |
| `VAULT_RASA_SECRETS_PATH`     | Path to the secrets in the vault server                                                        | `rasa-secrets`        |
| `VAULT_TRANSIT_MOUNT_POINT`   | If transit secrets engine is enabled, set this to mount point of the transit engine            |                       |
| `VAULT_NAMESPACE`             | If namespaces are used, set this to the path of the namespace                                  |                       |

To configure the Vault secrets manager, you can fill the following section in `endpoints.yml` file:
```yaml-rasa title="endpoints.yml
secrets_manager:
    type: vault # required - the secrets manager to use
    token: <token> # required - token to authenticate to the vault server
    url: "http://localhost:1234" # required - the address of the vault server
    secrets_path: rasa-secrets  # path to the secrets in the vault server if not set it defaults to `rasa-secrets`
    transit_mount_point: transit # if transit secrets engine is enabled, set this to mount point of the transit engine
    namespace: my-namespace # if namespaces are used, set this to the path of the namespace
```

#### Store access credentials in environment variables
A simple example on how to combine environment variables and `endpoints.yml` configuration file
would be to store access token in the environment variable and the rest of the configuration
in the `endpoints.yml` file.

```bash
# environment variables
VAULT_TOKEN=<token used to authenticate to Vault>
```


```yaml-rasa title="endpoints.yml
secrets_manager:
    type: vault
    url: "http://localhost:1234"
    secrets_path: rasa-secrets  # if not set it defaults to `rasa-secrets`
    transit_mount_point: transit # if you have enabled transit secrets engine, and you want to use it
    namespace: my-namespace # if namespaces are used, set this to the path of the namespace
```

### How to configure Tracker Store with Vault Secrets Manager
1. Configure Rasa to access the Vault instance

    Checkout the [How to configure access to Vault](#how-to-configure-access-to-vault) section for more details.

2. Configure Rasa to use the Vault secrets manager to fetch credentials for the tracker store
    ```yaml-rasa title="endpoints.yml
    tracker_store:
          type: SQL
          url: localhost:5432
          username:
                source: secrets_manager.vault
                secret_key: sql_store_username
          password:
                source: secrets_manager.vault
                secret_key: sql_store_password
    ```
